ISA to consumers: Think security

WASHINGTON -- A coalition of technology companies and others doing business on the Internet have released a list of nine steps they believe consumers and remote workers should take to protect themselves and keep their computers from being used as weapons on the Internet.

The Internet Security Alliance's (ISA) recommendations, published in its new "Common Sense Guide for Home and Individual Users," won't be a surprise to most company system administrators, but some of the steps may be new to many Internet users, according to speakers at a Thursday press conference. In July 2002, the Internet Security Alliance, which represents about 2,500 technology and Internet companies, also released its "Common Sense Guide for Senior Managers," and both guides are available at http://www.isalliance.org/.

More consumer education is needed about Internet security, said Orson Swindle, a commissioner with the U.S. Federal Trade Commission (FTC). He prefers a proactive approach, with publications like the ISA's, instead of consumers finding out about security issues when a virus is making the rounds.

"We have a long way to go, and we literally do need events every month to raise awareness," Swindle said. "I believe that good privacy and security practices help build consumer trust and confidence, and without trust and confidence, I am almost certain the benefits of information technology and communication ... will never, ever reach their full potential."

The nine recommendations are divided into seven basic actions and two advanced actions. The seven basic actions are the following:

-- Install and use antivirus programs. -- Keep your system patched. -- Use care when reading e-mail with attachments. -- Install and use a firewall program. -- Make backups of important files and folders. -- Use strong passwords. -- Use care when downloading and installing programs.

The two more advanced actions:

-- Install and use a hardware firewall. -- Install and use and file encryption program and access controls.

Some of the items are easier recommended than implemented. The vulnerability allowing the Slammer worm, which hit Microsoft servers worldwide in late January, was first identified eight months earlier, and Microsoft Corp. issued a patch for it six months before the recent attacks, noted Dave McCurdy, executive director of the Internet Security Alliance.

"There are many people who should have been aware, but had not taken action," McCurdy said.

Consumers need to pay attention, Swindle said, because their computers can be used to spread viruses and cause mayhem if the owners don't take active security measures. "We're all linked together through this marvelous invention called the Internet ... with very powerful personal computers," he said. "If that computer is not adequately protected from intrusions, that computer can literally be turned into a weapons system."

But speakers at the press conference didn't lay all the responsibility for Internet security on individual users. Companies, government agencies and individuals all need to be security conscious, McCurdy said.

Companies lax on security and privacy issues could face FTC action, such as the 2002 investigation into the Microsoft Passport service's security and privacy promises, Swindle noted.